Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate Fails to create when associated to a Key Vault #3732

Open
TomMakes opened this issue Nov 25, 2024 · 9 comments
Open

Certificate Fails to create when associated to a Key Vault #3732

TomMakes opened this issue Nov 25, 2024 · 9 comments
Labels
impact/usability Something that impacts users' ability to use the product easily and intuitively kind/bug Some behavior is incorrect or out of spec kv keyvault

Comments

@TomMakes
Copy link

TomMakes commented Nov 25, 2024

What happened?

I am trying to create a key vault and certificate in an existing resource group.
The key vault is able to be created, but the certificate fails with an error,
error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The parameter Properties.KeyVaultId has an invalid value." Details=[{"Message":"The parameter Properties.KeyVaultId has an invalid value."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51008","Message":"The parameter Properties.KeyVaultId has an invalid value.","MessageTemplate":"The parameter {0} has an invalid value.","Parameters":["Properties.KeyVaultId"]}}]

Things I've tried:

  • If I try to create the certificate after the key vault has been created in a previous pulumi up, I get the same error.
  • Hardcoding the KeyVaultId value as the ResourceId of the key vault still gives me the error.
  • If I create the certificate without providing a KeyVaultId it is successful.
  • If I create the certificate using Azure CLI, I am able to create the certificate inside of the key vault. It is successful.

Example

Cert creation script

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=US/ST=MA/L=Boston/O=TestOrg/OU=devops/CN=demo.test.io"
openssl pkcs12 -export -in cert.pem -inkey key.pem -out test-cert-2.pfx

Pulumi file

// ESLINT RULES
/* eslint-disable no-unused-vars */

import * as pulumi from '@pulumi/pulumi';
import * as azure_native from '@pulumi/azure-native';
import * as v20240401_native_web from '@pulumi/azure-native/web/v20240401';
import * as fs from 'fs';
// constants
import { CONSTS } from '../azure/constant_values';

// Load environment variables
// eslint-disable-next-line @typescript-eslint/no-var-requires
const dotenv = require('dotenv');
dotenv.config({ path: '../.env' });

const buildTestInfrastructure = async () => {
	// Create an Azure Resource Group
	const RESOURCE_GROUP_NAME = 'demo-test-rg';
	const AZURE_TENANT_ID = process.env.AZURE_TENANT_ID as string;

	/* *************************************************************
	 *  #KEY VAULT #KEYVAULT
	 **************************************************************** */

	const keyvault_name = 'test-key-vault';
	const keyvault = new azure_native.keyvault.Vault(
		keyvault_name,
		{
			location: CONSTS.LOCATION.CENTRAL_US_LOWER,
			properties: {
				accessPolicies: [
					{
						// group for devops
						objectId: '958d1200-4a93-4cfd-8019-b61847252a9b',
						permissions: {
							secrets: [
								azure_native.keyvault.SecretPermissions.Get,
								azure_native.keyvault.SecretPermissions.List,
								azure_native.keyvault.SecretPermissions.Set,
								azure_native.keyvault.SecretPermissions.Delete,
								azure_native.keyvault.SecretPermissions.Backup,
								azure_native.keyvault.SecretPermissions.Restore,
								azure_native.keyvault.SecretPermissions.Recover,
								azure_native.keyvault.SecretPermissions.Purge
							],
							keys: [
								azure_native.keyvault.KeyPermissions.Get,
								azure_native.keyvault.KeyPermissions.List,
								azure_native.keyvault.KeyPermissions.Update,
								azure_native.keyvault.KeyPermissions.Create,
								azure_native.keyvault.KeyPermissions.Delete,
								azure_native.keyvault.KeyPermissions.Purge
							],
							certificates: [
								azure_native.keyvault.CertificatePermissions.Get,
								azure_native.keyvault.CertificatePermissions.List,
								azure_native.keyvault.CertificatePermissions.Delete,
								azure_native.keyvault.CertificatePermissions.Create,
								azure_native.keyvault.CertificatePermissions.Import,
								azure_native.keyvault.CertificatePermissions.Update,
								azure_native.keyvault.CertificatePermissions.Getissuers,
								azure_native.keyvault.CertificatePermissions.Listissuers,
								azure_native.keyvault.CertificatePermissions.Recover,
								azure_native.keyvault.CertificatePermissions.Purge,
								azure_native.keyvault.CertificatePermissions.Backup,
								azure_native.keyvault.CertificatePermissions.Restore
							]
						},
						tenantId: AZURE_TENANT_ID
					}
				],
				enableRbacAuthorization: false,
				enableSoftDelete: false,
				enabledForDeployment: true,
				enabledForDiskEncryption: true,
				enabledForTemplateDeployment: true,
				provisioningState:
					azure_native.keyvault.VaultProvisioningState.Succeeded,
				publicNetworkAccess: 'Enabled',
				sku: {
					family: azure_native.keyvault.SkuFamily.A,
					name: azure_native.keyvault.SkuName.Standard
				},
				softDeleteRetentionInDays: 90,
				tenantId: AZURE_TENANT_ID,
				vaultUri: `https://${keyvault_name}.vault.azure.net/`
			},
			resourceGroupName: RESOURCE_GROUP_NAME,
			vaultName: keyvault_name
		},
		{
			protect: false
		}
	);

	const ssl_cert_name = 'test-cert';
	const ssl_cert_password = process.env.SSL_CERT_PASSWORD;
	const ssl_cert_filename = `../certs/2025/test-cert-2.pfx`;

	const ssl_certificate = new v20240401_native_web.Certificate(ssl_cert_name, {
		keyVaultId:
			keyvault.id,
		name: ssl_cert_name,
		resourceGroupName: RESOURCE_GROUP_NAME,
		location: CONSTS.LOCATION.CENTRAL_US_LOWER,
		pfxBlob: Buffer.from(
			fs.readFileSync(ssl_cert_filename) as unknown as string,
			'binary'
		).toString('base64'),
		password: ssl_cert_password
	});

};
buildTestInfrastructure().then(async () => {
	console.log('done');
});

Output of pulumi about

CLI
Version 3.134.1
Go Version go1.23.1
Go Compiler gc

Plugins
KIND NAME VERSION
resource azure 6.0.0
resource azure-native 2.65.1
resource azuread 5.53.4
language nodejs unknown
resource random 4.13.2

Host
OS Microsoft Windows 11 Pro
Version 10.0.22631 Build 22631
Arch x86_64

This project is written in nodejs: executable='C:\Program Files\nodejs\node.exe' version='v18.10.0'

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@TomMakes TomMakes added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 25, 2024
@danielrbradley
Copy link
Member

Hi @TomMakes sorry you're having some challenges with this resource. I've done a little digging myself and can't see anything obviously wrong with your setup. I've not been able to run the sample code as it depends on a few external pieces to be implemented (env, consts and the actual cert binary).

If the creation via the CLI is working, I'd suggest using that to export an ARM template and inspect how that is structured. This might give an indication as to the values the Azure service is happy with.

Another option to try out is using a different version of the resource. These are located as sub-packages within the azure-native SDK e.g. @pulumi/azure-native/web/v20240401. The behaviour sometimes varies between API versions. The default version is currently using 2022-09-01 for the web.Certificate so this might be fixed in a more recent version.

@danielrbradley danielrbradley added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Nov 27, 2024
@TomMakes
Copy link
Author

TomMakes commented Dec 4, 2024

Hi @danielrbradley
I updated my example code and provided the commands I used to generate the cert I'm using. I hope this helps you with reproducing the error.

I looked at the ARM template, and it doesn't look too useful.

I tried using v20240401_native_web and it gave me the same error, so sadly that didn't fix anything.

Here is the ARM template output

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vaults_test_key_vault_3_name": {
            "defaultValue": "test-key-vault-3",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.KeyVault/vaults",
            "apiVersion": "2024-04-01-preview",
            "name": "[parameters('vaults_test_key_vault_3_name')]",
            "location": "centralus",
            "properties": {
                "sku": {
                    "family": "A",
                    "name": "standard"
                },
                "tenantId": "35a7d303-0fa8-4387-a3ba-9416897264e1",
                "accessPolicies": [
                    {
                        "tenantId": "35a7d303-0fa8-4387-a3ba-9416897264e1",
                        "objectId": "958d1200-4a93-4cfd-8019-b61847252a9b",
                        "permissions": {
                            "certificates": [
                                "get",
                                "list",
                                "delete",
                                "create",
                                "import",
                                "update",
                                "getissuers",
                                "listissuers",
                                "recover",
                                "purge",
                                "backup",
                                "restore"
                            ],
                            "keys": [
                                "get",
                                "list",
                                "update",
                                "create",
                                "delete",
                                "purge"
                            ],
                            "secrets": [
                                "get",
                                "list",
                                "set",
                                "delete",
                                "backup",
                                "restore",
                                "recover",
                                "purge"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": true,
                "enabledForDiskEncryption": true,
                "enabledForTemplateDeployment": true,
                "enableSoftDelete": false,
                "softDeleteRetentionInDays": 90,
                "enableRbacAuthorization": false,
                "vaultUri": "[concat('https://', parameters('vaults_test_key_vault_3_name'), '.vault.azure.net/')]",
                "provisioningState": "Succeeded",
                "publicNetworkAccess": "Enabled"
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/keys",
            "apiVersion": "2024-04-01-preview",
            "name": "[concat(parameters('vaults_test_key_vault_3_name'), '/test-cert-2')]",
            "location": "centralus",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_test_key_vault_3_name'))]"
            ],
            "properties": {
                "attributes": {
                    "enabled": true,
                    "nbf": 1733255158,
                    "exp": 2048615158
                }
            }
        },
        {
            "type": "Microsoft.KeyVault/vaults/secrets",
            "apiVersion": "2024-04-01-preview",
            "name": "[concat(parameters('vaults_test_key_vault_3_name'), '/test-cert-2')]",
            "location": "centralus",
            "dependsOn": [
                "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_test_key_vault_3_name'))]"
            ],
            "properties": {
                "contentType": "application/x-pkcs12",
                "attributes": {
                    "enabled": true,
                    "nbf": 1733255158,
                    "exp": 2048615158
                }
            }
        }
    ]
}

@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Dec 4, 2024
@thomas11
Copy link
Contributor

thomas11 commented Dec 5, 2024

Hi @TomMakes, could it be missing permissions to the Vault? The docs here say

By default, 'Microsoft.Azure.WebSites' Resource Provider (RP) doesn't have access to the Key Vault specified in the template hence you need to authorize it by executing the following PowerShell commands before deploying the template

and I don't see such an access policy for your Vault. Although, admittedly, the "invalid value" error would be strange in this cause.

If that still doesn't help, could you run pulumi up --logtostderr --logflow -v=9 2> out.txt to enable debug logging? Outgoing requests to Azure are marked by Request: ==> OUTGOING REQUEST and could help us spot the problem.

@thomas11 thomas11 added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Dec 5, 2024
@TomMakes
Copy link
Author

TomMakes commented Dec 10, 2024

Hi @thomas11, I've been poking around these past few days and tried a few things:

  1. I added the permission to my vault for Microsoft.Azure.WebSites (resourceID abfa0a7c-a6b6-4736-8310-5855508787cd) so it can get secrets.
    This didn't have an effect on the issue. I also tried looking around my Azure environment to see if possibly Microsoft.Azure.WebSites had a different resourceID from what was posted, but I couldn't locate any resource with that name.
  2. I thought that I could look into how certificates are imported through ARM, but I learned that there is no support for importing certificates that way.
    https://learn.microsoft.com/en-us/azure/key-vault/certificates/faq#can-i-import-a-certificate-by-using-an-arm-template-

No, it isn't possible to perform certificate operations by using an Azure Resource Manager (ARM) template.

  1. I tried an older version, '@pulumi/azure-native/web/v20201201' to see if this would have an effect on the certificate import, it did not.
  2. I create a debug output using level 11, as 9 was not giving me much information about the PUT request. I looked through and removed some sensitive information, like the password used for the certificate. Below is the snippet:


I1205 13:43:38.366589  237223 api.go:314] Pulumi API call details (https://api.pulumi.com/api/stacks/Wabbi/demo-test-iac/test-azure-certificate/update/40feb73a-786b-4298-936a-a1762fb9bdae/events/batch): headers=map[Accept:[application/vnd.pulumi+8] Accept-Encoding:[gzip] Authorization:[] Content-Encoding:[gzip] Content-Type:[application/json] User-Agent:[pulumi-cli/1 (v3.142.0; linux)]]; body={"events":[{"sequence":253,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Ms-Correlation-Request-Id: 495cd61a-f380-4917-b689-2afae373e1eb\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":254,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Ms-Failure-Cause: gateway\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":255,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Ms-Request-Id: 495cd61a-f380-4917-b689-2afae373e1eb\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":256,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Ms-Routing-Request-Id: EASTUS2:20241205T184338Z:495cd61a-f380-4917-b689-2afae373e1eb\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":257,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eX-Msedge-Ref: Ref A: 0F5A28C77DCE4425A981E032CBF92DB0 Ref B: MNZ221060619029 Ref C: 2024-12-05T18:43:38Z\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":258,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003e{\"error\":{\"code\":\"ResourceNotFound\",\"message\":\"The Resource 'Microsoft.Web/certificates/test' under resource group 'demo-test-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix\"}}\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":259,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003e===================================================== HTTP Response End GET https://management.azure.com/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/demo-test-rg/providers/Microsoft.Web/certificates/test?api-version=2024-04-01\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":260,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eI1205 13:43:38.124859  237622 client.go:441] HTTP Request Begin PUT https://management.azure.com/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/demo-test-rg/providers/Microsoft.Web/certificates/test?api-version=2024-04-01 ===================================================\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":261,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003ePUT /subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/demo-test-rg/providers/Microsoft.Web/certificates/test?api-version=2024-04-01 HTTP/1.1\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":262,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eHost: management.azure.com\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":263,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eUser-Agent: Go/go1.22.7 (amd64-linux) go-autorest/v14.2.1 Go/go1.22.7 (amd64-linux) go-autorest/v14.2.1 pulumi-azure-native/2.65.1 pid-a90539d8-a7a6-5826-95c4-1fbef22d4b22\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":264,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eContent-Length: 6039\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":265,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003eContent-Type: application/json; charset=utf-8\r\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":266,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003e{\"location\":\"centralus\",\"properties\":{\"keyVaultId\":\"/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/demo-test-rg/providers/Microsoft.KeyVault/vaults/test-key-vault-3\",\"password\":\"REDACTED\",\"pfxBlob\":\"REDACTED\"}}\n\u003c{%reset%}\u003e\n","color":"raw","severity":"info#err"}},{"sequence":267,"timestamp":1733424218,"diagnosticEvent":{"message":"\u003c{%reset%}\u003e===================================================== HTTP Request End PUT https://management.azure.com/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/
I1205 13:43:39.015095  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>I1205 13:43:39.014971  237622 client.go:464] HTTP Response Begin PUT [https://management.azure.com/subscriptions/a0a9737a-e457-4f55-89e4-bc9588b4f609/resourceGroups/wabbi-test-rg/providers/Microsoft.Web/certificates/test?api-version=2024-04-01 ===================================================
<{%reset%}>)
I1205 13:43:39.015184  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>HTTP/2.0 400 Bad Request
<{%reset%}>)
I1205 13:43:39.015207  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Content-Length: 459
<{%reset%}>)
I1205 13:43:39.015216  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Cache-Control: no-cache
<{%reset%}>)
I1205 13:43:39.015229  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Content-Type: application/json; charset=utf-8
<{%reset%}>)
I1205 13:43:39.015238  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Date: Thu, 05 Dec 2024 18:43:38 GMT
<{%reset%}>)
I1205 13:43:39.015248  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Expires: -1
<{%reset%}>)
I1205 13:43:39.015255  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Pragma: no-cache
<{%reset%}>)
I1205 13:43:39.015267  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>Strict-Transport-Security: max-age=31536000; includeSubDomains
<{%reset%}>)
I1205 13:43:39.015290  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Aspnet-Version: 4.0.30319
<{%reset%}>)
I1205 13:43:39.015303  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Cache: CONFIG_NOCACHE
<{%reset%}>)
I1205 13:43:39.015311  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Content-Type-Options: nosniff
<{%reset%}>)
I1205 13:43:39.015356  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Correlation-Request-Id: 5776b002-7815-4fb9-b671-9a6e581c1af1
<{%reset%}>)
I1205 13:43:39.015404  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Ratelimit-Remaining-Subscription-Global-Writes: 2999
<{%reset%}>)
I1205 13:43:39.015425  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Ratelimit-Remaining-Subscription-Writes: 199
<{%reset%}>)
I1205 13:43:39.015444  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Request-Id: 5776b002-7815-4fb9-b671-9a6e581c1af1
<{%reset%}>)
I1205 13:43:39.015466  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Ms-Routing-Request-Id: EASTUS2:20241205T184338Z:5776b002-7815-4fb9-b671-9a6e581c1af1
<{%reset%}>)
I1205 13:43:39.015481  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Msedge-Ref: Ref A: 7F2870CDC4B44891A077F4B0C6959089 Ref B: MNZ221060619029 Ref C: 2024-12-05T18:43:38Z
<{%reset%}>)
I1205 13:43:39.015500  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>X-Powered-By: ASP.NET
<{%reset%}>)
I1205 13:43:39.015517  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>{"Code":"BadRequest","Message":"The parameter Properties.KeyVaultId has an invalid value.","Target":null,"Details":[{"Message":"The parameter Properties.KeyVaultId has an invalid value."},{"Code":"BadRequest"},{"ErrorEntity":{"ExtendedCode":"51008","MessageTemplate":"The parameter {0} has an invalid value.","Parameters":["Properties.KeyVaultId"],"Code":"BadRequest","Message":"The parameter Properties.KeyVaultId has an invalid value."}}],"Innererror":null}
<{%reset%}>)
I1205 13:43:39.015536  237223 eventsink.go:78] eventSink::Infoerr(<{%reset%}>===================================================== HTTP Response End PUT https://management.azure.com/

@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Dec 10, 2024
@thomas11
Copy link
Contributor

Thank you for the log. We can see that the KV id is /subscriptions/REDACTED/resourceGroups/demo-test-rg/providers/Microsoft.KeyVault/vaults/test-key-vault-3 which looks correct to me (assuming that's the correct KV name, in your original program it's test-key-vault without the -3).

Unfortunately, it's hard for me to tell what Azure finds wrong here given the unhelpful error message.

However, looking around the web a bit, I get the impression that the Microsoft.Web/certificates API is only intended to add existing certificates to a web app. I.e., add the cert with the given name, in the given keyVaultId, to the web app. Here's a page on the end-to-end process - it shows how the cert is added as a plain secret (Pulumi Secret), then used via Microsoft.Web/certificates.

@thomas11 thomas11 added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Dec 11, 2024
@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Dec 12, 2024
@thomas11 thomas11 added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Dec 13, 2024
@TomMakes
Copy link
Author

TomMakes commented Dec 13, 2024

Upon further investigation my team decided it was best to try another route, going with the Azure classic provider ('@pulumi/azure').

We were able to get the key vault and certificate created in the key vault using this code.

Pulumi.yaml

name: demo-test-iac
runtime: nodejs
description: A minimal Azure Native TypeScript Pulumi program designed to build up a small environment for debugging purposes.
config:
  azure:subscriptionId: <insert subscription id here for azure authentication purposes>

index.ts

import * as azure from '@pulumi/azure';
import * as std from "@pulumi/std";

import { CONSTS } from '../azure/constant_values';

// Load environment variables
// eslint-disable-next-line @typescript-eslint/no-var-requires
const dotenv = require('dotenv');
dotenv.config({ path: '../.env' });

const current = azure.core.getClientConfig({});

const buildTestInfrastructure = async () => {
	const RESOURCE_GROUP_NAME = 'demo-test-rg';
	const AZURE_TENANT_ID = process.env.AZURE_TENANT_ID as string;

	const keyvault_name = 'test-key-vault-7';
	const keyvault = new azure.keyvault.KeyVault(keyvault_name, {
		name: keyvault_name,
		location: CONSTS.LOCATION.CENTRAL_US_LOWER,
		resourceGroupName: RESOURCE_GROUP_NAME,
		enabledForDiskEncryption: true,
		tenantId: current.then(current => current.tenantId),
		softDeleteRetentionDays: 7,
		purgeProtectionEnabled: false,
		skuName: "standard",
		accessPolicies: [
			{
				objectId: '958d1200-4a93-4cfd-8019-b61847252a9b',
				certificatePermissions:  ['Get', 'List', 'Import', 'Delete', 'Purge'],
				secretPermissions: ['Set', 'Get', 'List', 'Delete', 'Purge'],
				tenantId: AZURE_TENANT_ID
			},
		]
	});

	const ssl_cert_name = 'test-cert';
	const ssl_cert_password = process.env.SSL_CERT_PASSWORD;
	const ssl_cert_filename = `../certs/2025/test_demo_io.pfx`;

	const exampleCertificate = new azure.keyvault.Certificate("example-cert", {
		name: ssl_cert_name,
		keyVaultId: keyvault.id,
		certificate: {
			contents: std.filebase64({
				input: ssl_cert_filename,
			}).then(invoke => invoke.result),
			password: ssl_cert_password,
		},
	});
};

buildTestInfrastructure().then(async () => {
	console.log('done');
});

pulumi about output

CLI
Version      3.134.1
Go Version   go1.23.1
Go Compiler  gc

Plugins
KIND      NAME          VERSION
resource  azure         6.13.0
resource  azure-native  2.65.1
resource  azuread       5.53.4
language  nodejs        unknown
resource  random        4.13.2
resource  std           1.7.3

Host
OS       Microsoft Windows 11 Pro
Version  10.0.22631 Build 22631
Arch     x86_64

This project is written in nodejs: executable='C:\Program Files\nodejs\node.exe' version='v18.20.5'

@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Dec 13, 2024
@thomas11
Copy link
Contributor

Hi @TomMakes, glad you're unblocked for now. I think I see where the problem comes from: in azure-native, you're using the web.Certificate resource - note the web. It's used for associating a cert to a web app. I assumed that's what you were trying to do. However, if you're simply creating a certificate in Key Vault, you would use the keyvault.Secret resource like this:

const certificateSecret = new azure.keyvault.Secret("myCertificate", {
    vaultName: keyVault.name,
    resourceGroupName: rg.name,
    properties: {
        value: "<base64-encoded-certificate>",
        contentType: "application/x-pkcs12", // or "application/x-pem-file" depending on your certificate format
    },
});

@thomas11 thomas11 added kv keyvault impact/usability Something that impacts users' ability to use the product easily and intuitively and removed needs-triage Needs attention from the triage team labels Dec 16, 2024
@TomMakes
Copy link
Author

Hi @TomMakes, glad you're unblocked for now. I think I see where the problem comes from: in azure-native, you're using the web.Certificate resource - note the web. It's used for associating a cert to a web app. I assumed that's what you were trying to do. However, if you're simply creating a certificate in Key Vault, you would use the keyvault.Secret resource like this:

const certificateSecret = new azure.keyvault.Secret("myCertificate", {
vaultName: keyVault.name,
resourceGroupName: rg.name,
properties: {
value: "",
contentType: "application/x-pkcs12", // or "application/x-pem-file" depending on your certificate format
},
});

Hi @thomas11 thanks for the reply, my only issue with this way of creating a certificate is that I can't provide a password to use to decrypt the certificate.

@thomas11
Copy link
Contributor

You could decrypt it locally in your Pulumi program. You can obtain the password from Pulumi config or any source really, read the cert, and put the decrypted value into the Secret. Not sure about all the security implications of this but KV will strip passwords from certificates upon import anyway ("Once the certificate file is successfully imported, key vault will remove that password.").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
impact/usability Something that impacts users' ability to use the product easily and intuitively kind/bug Some behavior is incorrect or out of spec kv keyvault
Projects
None yet
Development

No branches or pull requests

4 participants